Federal Agencies Need to Implement Recommendations to Manage Supply Chain Risks

The exploitation of ICT products and services through the supply chain is an emerging threat. ICT supply chain-related threats can be introduced in the manufacturing, assembly, and distribution of hardware, software, and services. Moreover, these threats can appear at each phase of the system development life cycle, when an agency initiates, develops, implements, maintains, and disposes of an information system. As a result, the compromise of an agency’s ICT supply chain can degrade the confidentiality, integrity, and availability of its critical and sensitive networks, IT-enabled equipment, and data.

Over the past several years, Congress and federal agencies have taken a number of steps aimed at mitigating ICT supply chain risks. Despite these measures, we have previously reported that federal agencies have not effectively managed supply chain risks.

Few Federal Agencies Implemented Foundational Practices for Managing ICT Supply Chain Risks

The recent compromise of SolarWinds highlights the significance of threats to the ICT supply chain. In December 2020, we reported on the 23 civilian agencies’ implementation of foundational practices for managing ICT supply chain risks. In that report, we identified and selected the seven practices from NIST’s guidance that are considered foundational for an organization-wide approach to ICT SCRM. These selected foundational practices are:

• Establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;
• Developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;
• Establishing an approach to identify and document agency ICT supply chain(s);
• Establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;
• Establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;
• Developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services;
• Developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

However, as we discussed in our report, none of the 23 agencies had fully implemented all of the supply chain risk management practices. Further, 14 of the 23 agencies had not implemented any of the practices. Figure 1 summarizes the extent of the agencies’ implementation of the practices.

As a result of not fully implementing these selected foundational practices, the agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain, causing disruptions to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.

Officials from the 23 agencies cited various factors that had limited their implementation of the selected foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance.

Want to read more? Check out the June 2021: SHIELDWatch Newsletter